-
The U.S. Department of Education’s Federal Information
Security Modernization Act of 2014 Report
For Fiscal Year 2017
FINAL AUDIT REPORT
ED-OIG/A11R0001
October 2017
Our mission is to promote the efficiency, effectiveness, and
integrity of the Department’s programs and operations.
U.S Department of Education Office of Inspector General
Information Technology Audit Division Washington, DC
-
NOTICE
Statements that managerial practices need improvements, as well
as other conclusions and recommendations in this report, represent
the
opinions of the Office of Inspector General. Determinations of
corrective action to be taken will be made by the appropriate
Department of Education officials.
In accordance with the Freedom of Information Act (5 U.S.C. §
552), reports issued by the Office of Inspector General are
available to members of the press and
general public to the extent information contained therein is
not subject to exemptions in the Act.
-
Abbreviations and Acronyms Used in this Report
BIA Business Impact Assessment CDM Continuous Diagnostics and
Mitigation CIGIE Council of the Inspectors General on Integrity and
Efficiency CIO Chief Information Officer CSAM Cyber Security
Assessment and Management Department U.S. Department of Education
DHS Department of Homeland Security EARB Enterprise Architecture
Review Board EDSOC Education Security Operations Center EDUCATE
Education Department Utility for Communications, Applications,
and
Technology Environment FISMA Federal Information Security
Modernization Act of 2014 FSA Federal Student Aid FY Fiscal Year
ICAM Identity, Credential, and Access Management ISA
Interconnection Security Agreement ISCM Information Security
Continuous Monitoring IT Inform ation Technology NTT NTT DATA
Services NIST National Institute of Standards and Technology OCIO
Office of the Chief Information Officer OIG Office of Inspector
General OMB Office of Management and Budget POA&M Plan of
Action and Milestones SP Special Publication TIC Trusted Internet
Connection TLS Transport Layer Security US-CERT United States
Computer Emergency Readiness Team
-
UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR
GENERAL
400 MARYLAND AVENUE, S.W., WASHINGTON, DC 20202-1510
Promoting the efficiency, effectiveness, and integrity of the
Department's programs and operations.
October 31, 2017
Memorandum
TO: Joseph C. Conaty Delegated the Duties and Functions
of the Deputy Secretary
Wayne Johnson Chief Operating Officer
FROM: Charles E. Coe, Jr. Assistant Inspector General
Information Technology Audits and Computer Crime Investigations
Office of Inspector General
SUBJECT: Final Audit Report The U.S. Department of Education's
Federal Information Security Modernization Act of 2014 for Fiscal
Year 2017 Control Number ED-OIG/Al lROOOl
Attached is the subject final audit report that covers the
results of our review of the U.S. Department of Education's
(Department) compliance with the Federal Information Security
Mod((rnization Act of 2014 for fiscal year 2017. An electronic copy
has been provided to your Audit Liaison Officers. We received your
comments on the findings and recommendations in our draft
report.
Corrective actions proposed (resolution phase) and implemented
(closure phase) by your offices will be monitored and tracked
through the Department' s Audit Accountability and Resolution
Tracking System. The Department's policy requires that you develop
a final corrective action plan for our review in the automated
system within 30 days of the issuance of this report. The
corrective action plan should set forth the specific action items,
arid targeted completion dates, necessary to implement final
corrective actions on the findings and recommendations contained in
this final audit report.
In accordance with the Inspector General Act of 1978, as
amended, the Office of Inspector General is required to report to
Congress twice a year on the audits that remain unresolved after
six months from the dfite of issuance.
-
Memorandum Page 2 of 2
In accordance with the Freedom of Information Act (5 U.S.C.
§552), reports issued by the Office of Inspector General are
available to members of the press and general public to the extent
information contained therein is not subject to exemptions in the
Act.
We appreciate the cooperation given to us during this review. If
you have any questions, please call Joseph Maranto at
202-245-7044.
Enclosure
cc: Jason Gray, Chief Information Officer, Office of the Chief
Information Officer Keith Wilson, Chief Information Officer,
Federal Student Aid Leslie Willoughby, Deputy Chief Information
Officer, Federal Student Aid Daniel Galik, Director, Information
Assurance Services, Office of the Chief Information
Officer Dan Commons, Director, Information Technology Risk
Management Group, Federal
Student Aid Kelly Cline, Audit Liaison, Office of the Chief
Information Officer Stefanie Clay, Audit Liaison, Federal Student
Aid Bucky Methfessel, Senior Counsel for Information &
Technology, Office of the
General Counsel
Mark Smith, Deputy Assistant Inspector General for
Investigations
Charles Laster, Post Audit Group, Office of the Chief Financial
Officer
L’Wanda Rosemond, AARTS Administrator, Office of Inspector
General
-
TABLE OF CONTENTS
Page
EXECUTIVE SUMMARY
...........................................................................................................1
BACKGROUND
............................................................................................................................5
AUDIT RESULTS
.......................................................................................................................10
SECURITY FUNCTION 1—IDENTIFY
..................................................................................10
METRIC DOMAIN 1—RISK MANAGEMENT
.........................................................11
SECURITY FUNCTION 2—PROTECT
..................................................................................16
METRIC DOMAIN 2—CONFIGURATION
MANAGEMENT................................17
METRIC DOMAIN 3—IDENTITY AND ACCESS
MANAGEMENT.....................24
METRIC DOMAIN 4—SECURITY TRAINING
........................................................29
SECURITY FUNCTION 3—DETECT
.....................................................................................31
METRIC DOMAIN 5—INFORMATION SECURITY CONTINUOUS
MONITORING................................................................................................................32
SECURITY FUNCTION 4—RESPOND
..................................................................................35
METRIC DOMAIN 6–-INCIDENT RESPONSE
........................................................35
SECURITY FUNCTION
5—RECOVER..................................................................................40
METRIC DOMAIN 7–-CONTINGENCY
PLANNING..............................................40
OTHER MATTERS
....................................................................................................................45
OBJECTIVE, SCOPE, AND METHODOLOGY
....................................................................46
Enclosure 1: CyberScope FISMA Reporting Metrics
.............................................................49
Enclosure 2: Management Comments
......................................................................................63
-
Final Report ED-OIG/A11R0001 Page 1 of 71
EXECUTIVE SUMMARY
This report constitutes the Office of Inspector General’s
independent evaluation of the U.S. Department of Education’s
(Department) information technology security program and practices,
as required by the Federal Information Security Modernization Act
of 2014 (FISMA). Our report is based on, and incorporates, the
Fiscal Year (FY) 2017 Inspector General Federal Information
Security Modernization Act of 2014 Reporting Metrics V1.0 (issued
April 17, 2017) (FY 2017 IG FISMA Metrics) prepared by the Council
of the Inspectors General on Integrity and Efficiency, the Office
of Management and Budget, and the U.S. Department of Homeland
Security, in consultation with the Federal Chief Information
Officer Council.
What Was Our Objective?
Our objective was to determine whether the Department’s and
Federal Student Aid’s (FSA) overall information technology security
programs and practices were effective as they relate to Federal
information security requirements. The FY 2017 IG FISMA Metrics are
grouped into seven metric domains and organized around the five
Cybersecurity Framework Security Functions (security functions)
outlined in the National Institute of Standards and Technology’s
Framework for Improving Critical Infrastructure Cybersecurity:
Identify security function (one metric domain—Risk Management);
Protect security function (three metric domains—Configuration
Management, Identity
and Access Management, and Security Training); Detect security
function (one metric domain—Information Security Continuous
Monitoring);
Respond security function (one metric domain—Incident Response);
and
Recover security function (one metric domain—Contingency
Planning).
Under the FY 2017 IG FISMA Metrics, inspectors general assess
the effectiveness of each security function using maturity level
scoring.1 The scoring distribution is based on five maturity levels
outlined in the FY 2017 IG FISMA Metrics: (1) Ad-hoc, (2) Defined,
(3) Consistently Implemented, (4) Managed and Measurable, and (5)
Optimized. Level 1, Ad-hoc, is the lowest maturity level and Level
5, Optimized, is the highest maturity level. For a security
function to be considered effective, agencies’ security programs
must score at or above Level 4, Managed and Measurable.
To meet the objective, we conducted audit work in the seven
metric domains. We assessed the effectiveness of security controls
based on the extent to which the controls were implemented
1 The maturity model was prepared in coordination with the
Office of Management and Budget and the Department of Homeland
Security.
-
Final Report ED-OIG/A11R0001 Page 2 of 71
correctly, operating as intended, and producing the desired
outcome with respect to meeting the security requirements for the
information systems we reviewed in their operational
environment.2
What We Reviewed
Within each metric domain, we reviewed information technology
controls, policies and procedures, and current processes to
determine whether they operated as intended as specified by the FY
2017 FISMA Metrics. We report our results on each of these metric
domains to the Office of Management and Budget as required; see
Enclosure 1. Based on our work on these metric domains, we scored
effectiveness against the maturity level reached within each of the
five security functions.
Our audit work included the following testing procedures: (1)
system-level testing for the Configuration Management, Risk
Management, and Contingency Planning metric domains; (2)
vulnerability assessments of systems, applications, and
infrastructure; (3) verification of training evidence; (4) testing
of remote access control settings; and (5) observation of Education
Department Utility for Communications, Applications, and Technology
Environment’s comprehensive disaster recovery exercise.
During the FY 2016 FISMA audit, we found that the Department and
FSA were not generally effective in three security functions
(Protect, Detect, and Respond), but were generally effective in two
security functions—Identify and Recover.
What We Found
As guided by the maturity model used in the FY 2017 IG FISMA
Metrics, we found the Department and FSA were not effective in all
five security functions—Identify, Protect, Detect, Respond, and
Recover. We also identified findings in all seven metric domains:
(1) Risk Management, (2) Configuration Management, (3) Identity and
Access Management, (4) Security Training, (5) Information Security
Continuous Monitoring, (6) Incident Response, and (7) Contingency
Planning. At the metric domains level, we determined that the
Department’s and FSA’s programs were consistent with the maturity
level of Defined for Configuration Management, Identity and Access
Management, Security Training, Information Security Continuous
Monitoring, Incident Response, and Contingency Planning. We
determined the programs were consistent with the maturity level of
Consistently Implemented for Risk Management.
The FY 2017 maturity model was more comprehensive and attributes
were assessed differently than the previous year’s maturity model
indicator scoring. As a result, certain functions were assessed at
a lower level. Despite the lower overall scoring due to changes in
the maturity model, we found several areas of improvement from FY
2016. Specifically, in FY 2017, we found that the Department and
FSA have made improvements in developing and strengthening their
security programs. We found the Department and FSA have developed
their risk management programs by establishing workshops and forums
to inform stakeholders on risk
2 Our determination of effectiveness is based on the definition
cited in National Institute of Standards and Technology Special
Publication 800-53, Revision 4, “Security and Privacy Controls for
Federal Information Systems and Organizations.”
-
Final Report ED-OIG/A11R0001 Page 3 of 71
management issues. The Department and FSA have made progress in
defining and communicating responsibilities of configuration
management to stakeholders and began performing an assessment of
skills, knowledge, and resources to effectively implement a
configuration management program. In March 2017, in response to a
FY 2016 FISMA audit finding, the Office of the Chief Information
Officer developed a strategy to replace current token access with
personal identity verification cards for remote users. Also, the
Department uses performance metrics and lessons learned in
collaboration with communicating with its stakeholders as a way to
determine whether the Information Security Continuous Monitoring
program is fully integrated. In addition, to address the
effectiveness of the incident response program, both the
Department’s and FSA’s Security Operations Centers participated in
tabletop exercises that provided stakeholders an opportunity to
walk through the incident response process and procedures using
actual incident scenarios and testing of breach responsiveness.
Although the Department and FSA made progress in strengthening
their information security programs, we found weaknesses in the
Department’s and FSA’s information systems, and those systems
continued to be vulnerable to security threats.
For Risk Management, we found that improvements are needed in
(1) updating inventory guidance, (2) ensuring that security control
compliance and access language are included in contracts, and (3)
maintaining a complete website inventory.
For Configuration Management, we found that the Department (1)
was not using appropriate application connection protocols; (2) was
unable to protect against unauthorized devices connecting to its
network; (3) used unsupported operating systems, databases, and
applications in its production environment; (4) had not configured
websites to encrypt data transmission; (5) had not adequately
protected personally identifiable information; and (6) did not
define common secure configurations.
For Identity and Access Management, we found that the Department
and FSA can strengthen their controls in the areas of (1)
background investigations being completed before granting system
access; (2) managing external privileged accounts; (3) Identity,
Credential, and Access Management enterprise roadmap implementation
plans; (4) consistently implementing the Identity, Credential, and
Access Management strategy; (5) implementing the network access
control solution; and (6) displaying system warning banners.
For Security Training, we found that contractors were able to
obtain access to Departmental resources before fulfilling their
training requirements.
For its Information Security Continuous Monitoring program, we
found that the Department can strengthen its controls in the areas
of (1) security control monitoring, (2) developing and identifying
roles and responsibilities, and (3) fully implementing its
continuous diagnostics and mitigation program.
For its Incident Response program, we found that the Department
can strengthen its controls in the areas of (1) updating current
guidance, (2) training key personnel, (3) timely reporting
incidents, and (4) maintaining current interconnection security
agreements.
-
Final Report ED-OIG/A11R0001 Page 4 of 71
For its Contingency Planning program, we found that the
Department can strengthen its controls regarding contingency
planning in the areas of (1) enterprise skill assessment; (2)
documenting contingency plans, business impact assessments, and
contingency plan testing; and (3) contingency plan
completeness.
Our answers to the questions in the FY 2017 IG FISMA Metrics
template, which will become the CyberScope report, are shown in
Enclosure 1.
What We Recommend
This report contains seven findings, two of which are repeat
findings from previous FISMA audit reports. We make 37
recommendations (4 of which are repeat recommendations) to assist
the Department and FSA with increasing the effectiveness of their
information security programs so that they fully comply with all
applicable requirements of FISMA, the Office of Management and
Budget, the Department of Homeland Security, and the National
Institute of Standards and Technology. During our FY 2016 FISMA
audit, we made 15 recommendations to the Department and FSA to
address the 11 findings that we identified. As of October 2017, the
Department and FSA reported that they have completed corrective
actions for 10 of the 15 recommendations. However, despite their
reporting completed corrective actions, we continue to identify
repeat findings and recommendations in both the Information
Security Continuous Monitoring and Incident Response metric
domains. Although the Department and FSA may have taken action on
specific findings, systemic issues persist in these metric domains
on an enterprise level. The Department and FSA anticipate
completing corrective action for all FY 2016 recommendations this
fiscal year, with many scheduled for completion by the end of
2017.
The Department concurred with 31 of our 37 recommendations,
partially concurred with 5 recommendations (2.4, 2.5, 3.6, 6.2, and
6.5) and did not concur with recommendation 1.2. We summarized and
responded to specific comments in the “Audit Results” section of
the report. The OIG considered the Department’s comments and
although we did not revise our findings, as a result of subsequent
support provided by the Department, we removed 2 of the 37
recommendations (6.2 and 6.5).
-
Final Report ED-OIG/A11R0001 Page 5 of 71
BACKGROUND
The E-Government Act of 2002 (Public Law 107-347), signed into
law in December 2002, recognized the importance of information
security to the economic and national security interests of the
United States. Title III of the E-Government Act of 2002, the
Federal Information Security Management Act of 2002, permanently
reauthorized the framework established by the Government
Information Security Reform Act of 2000, which expired in November
2002. The Federal Information Security Management Act of 2002
continued the annual review and reporting requirements introduced
in the Government Information Security Reform Act of 2000, but it
also included new provisions that further strengthened the Federal
Government’s data and information systems security, such as
requiring the development of minimum control standards for
agencies’ systems. The Federal Information Security Management Act
of 2002 also charged the National Institute of Standards and
Technology (NIST) with the responsibility for developing
information security standards and guidelines for Federal agencies,
including minimum requirements for providing adequate information
security for all operations and assets.
The E-Government Act also assigned specific responsibilities to
the Office of Management and Budget (OMB), agency heads, chief
information officers, and inspectors general. It established that
OMB is responsible for creating and overseeing policies, standards,
and guidelines for information security and has the authority to
approve agencies’ information security programs. OMB is also
responsible for submitting the annual Federal Information Security
Management Act of 2002 report to Congress, developing and approving
the cybersecurity portions of the President’s Budget, and
overseeing budgetary and fiscal issues related to the agencies’ use
of funds.
Each agency must establish a risk-based information security
program that ensures information security is practiced throughout
the life cycle of each agency’s systems. Specifically, the agency’s
chief information officer (CIO) is required to oversee the program,
which must include the following:
periodic risk assessments that consider internal and external
threats to the integrity, confidentiality, and availability of
systems, and to data supporting critical operations and assets;
development and implementation of risk-based, cost-effective
policies and procedures to provide security protections for the
agency’s information;
training that covers security responsibilities for information
security personnel andsecurity awareness for agency personnel;
periodic management testing and evaluation of the effectiveness
of security policies, procedures, controls, and techniques;
processes for identifying and remediating significant security
deficiencies; procedures for detecting, reporting, and responding
to security incidents; and annual program reviews by agency
officials.
In December 2014, the Federal Information Security Modernization
Act of 2014 (FISMA), Public Law 113-283, was enacted to update the
Federal Information Security Management Act
-
Final Report ED-OIG/A11R0001 Page 6 of 71
of 2002 by (1) reestablishing the oversight authority of the
Director of OMB with respect to agency information security
policies and practices and (2) setting forth authority for the
Department of Homeland Security (DHS) Secretary to administer the
implementation of such policies and practices for information
systems.
In addition, FISMA revised the Federal Information Security
Management Act of 2002 requirement for Offices of Inspectors
General (OIG) to annually assess agency “compliance” with
information security policies, procedures, standards, and
guidelines. FISMA now requires OIGs to assess the “effectiveness”
of the agency’s information security program. It also codified
certain information security requirements related to continuous
monitoring that OMB had previously established. FISMA specifically
mandates that each evaluation under this section must include (1)
testing of the effectiveness of information security policies,
procedures, and practices of a representative subset of the
agency’s information systems and (2) an assessment of the
effectiveness of the information security policies, procedures, and
practices of the agency.
The Council of the Inspectors General on Integrity and
Efficiency (CIGIE), OMB, and DHS developed the Fiscal Year (FY)
2017 Inspector General FISMA Reporting Metrics V1.0, April 26, 2016
(FY 2017 FISMA Metrics), in consultation with the Federal Chief
Information Officer Council. The FY 2017 FISMA Metrics are
organized around the five information Cybersecurity Framework
security functions (security functions) outlined in the NIST’s
“Framework for Improving Critical Infrastructure Cybersecurity,” as
shown in Table 1. 3
Table 1. Aligning the Security Functions to the FY 2017 IG FISMA
Metric Domains
Security Functions FY 2017 IG Metric Domains Identify Risk
Management
Protect Configuration Management, Identity and Access
Management, and Security Training Detect Information Security
Continuous Monitoring
Respond Incident Response Recover Contingency Planning
For FY 2015, CIGIE, in coordination with DHS, OMB, NIST, and
other key stakeholders, established the maturity model for
information security continuous monitoring (ISCM). The maturity
model is designed to provide a perspective on the overall status of
information security within an agency, as well as across agencies.
In FY 2016, this effort continued by establishing an Incident
Response maturity model, with plans to extend the maturity model to
other security functions for OIGs to use in their FY 2017 FISMA
reviews. In FY 2017, not only were the Identify, Protect, and
Recover security functions transitioned into full maturity models,
but the
3 NIST’s Framework for Improving Critical Infrastructure
Cybersecurity defines the security functions as follows: (1)
Identify—develops the organizational understanding to manage
cybersecurity risk to systems, assets, data, and capabilities; (2)
Protect—develops and implements the appropriate safeguards to
ensure delivery of critical infrastructure services; (3)
Detect—develops and implements the appropriate activities to
identify the occurrence of a cybersecurity event; (4)
Respond—develops and implements the appropriate activities to
maintain plans for resilience and the restore any capabilities or
services that were impaired due to a cybersecurity event; and (5)
Recover—develops and implements the appropriate activities to
maintain plans for resilience and to restore any capabilities or
services that were impaired due to a cybersecurity event.
-
Final Report ED-OIG/A11R0001 Page 7 of 71
maturity models were reorganized to be more intuitive and in
line with the CIO FISMA reporting metrics. This alignment with the
Cybersecurity Framework helps promote consistent and comparable
metrics and criteria in the CIO and IG metrics processes, while
providing agencies with a meaningful independent assessment of
effectiveness of their information security program.
The inspectors general are required by FISMA and the FY 2017 IG
FISMA Metrics to assess the effectiveness of information security
programs on a maturity model spectrum, in which the foundation
levels ensure that agencies develop sound policies and procedures
and the advanced levels capture the extent to which agencies
institutionalize those policies and procedures. Table 2 details the
five maturity model levels: (1) Ad Hoc, (2) Defined, (3)
Consistently Implemented, (4) Managed and Measurable, and (5)
Optimized. Within the context of the maturity model, Levels 4 or 5
represent an effective level of security.4
Table 2. Level of Maturity and Description
Maturity Level Maturity Level Description
Level 1: Ad-hoc Policies, procedures, and strategy are not
formalized; activities are performed in an ad-hoc, reactive
manner.
Level 2: Defined Policies, procedures, and strategy are
formalized and documented but not consistently implemented.
Level 3: Consistently Implemented
Policies, procedures, and strategy are consistently implemented,
but quantitative and qualitative effectiveness measures are
lacking.
Level 4: Managed and Measureable
Quantitative and qualitative measures on the effectiveness of
policies, procedures, and strategy are collected across the
organization and used to assess them and make necessary
changes.
Level 5: Optimized
Policies, procedures, and strategy are fully institutionalized,
repeatable, self-generating, consistently implemented, and
regularly updated based on changing threat and technology landscape
and business/mission needs.
As described in the FY 2017 IG FISMA Metrics, ratings throughout
the seven domains are by simple majority. Further, IGs determine
the overall agency rating and the rating for each of the
Cybersecurity Framework Functions at the maturity level.
Beginning in FY 2009, OMB required Federal agencies and OIGs to
submit FISMA reporting through the OMB Web portal, CyberScope
(Enclosure 1).
4 NIST SP 800-53, Revision 4, “Security and Privacy of Controls
for Federal Information Systems and Organizations,” defines
security control effectiveness as the extent to which the controls
are implemented correctly, operating as intended, and producing the
desired outcome with respect to meeting the security requirements
for the information system in its operational environment or
enforcing/mediating established security policies.
-
Final Report ED-OIG/A11R0001 Page 8 of 71
Departmental Systems and Security Program Description
In September 2007, the U.S. Department of Education (Department)
entered into a contract with the predecessor of NTT DATA Services
(NTT), to provide and manage information technology (IT)
infrastructure services to the Department under the Education
Department Utility for Communications, Applications, and Technology
Environment (EDUCATE) system. The contract established a
contractor-owned and contractor-operated IT service model for the
Department under which NTT provides the enterprise IT platform and
network infrastructure to support Department employees in meeting
the Department’s mission. The contract was awarded as a 10-year,
performance-based, indefinite-delivery, indefinite-quantity
contract with fixed unit prices and was due to expire in November
2017. Under this contract, NTT owns all of the IT hardware and
operating systems, including wide-area and local-area network
devices, network servers, routers, switches, external firewalls,
voice mail, and the Department’s laptops and workstations. NTT also
provides help desk services and all personal computer services. NTT
also managed the Department’s Virtual Data Center, which was
located at the contractor’s facility in Plano, Texas. The Virtual
Data Center is a general support system into which Federal Student
Aid (FSA) consolidated many of its student financial aid program
systems to improve interoperability and reduce costs. It serves as
the hosting facility for FSA systems that process student financial
aid applications, provide schools and lenders with eligibility
determinations, and support payments from and repayment to lenders.
It consists of a network infrastructure, servers, and the
corresponding operating systems. Many of the financial aid
applications that are hosted at Virtual Data Center are operated by
other contractors. This contract expired in August 2016. NTT
continued to manage the Virtual Data Center until transition to a
new contractor was completed in the summer of 2017. We discuss the
status of the contract recompete and transition for both computing
environments in the “Other Matters” section of this report. The
Department’s total spending for IT investments for the FY 2017 was
estimated at about $700 million.
Through the Office of the Chief Information Officer (OCIO), the
Department monitors and evaluates the contractor-provided IT
services through a service-level agreement framework and develops
and maintains common business solutions that are required by
multiple program offices. OCIO advises and assists the Secretary
and other senior officials to ensure that the Department acquires
and manages IT resources in a manner that is consistent with the
requirements of the Clinger-Cohen Act of 1996,5 FISMA, and OMB
Memorandum A-130.6 OCIO is responsible for implementing the
operative principles established by legislation and regulation,
establishing a management framework to improve the planning and
control of IT investments, and leading change to improve the
efficiency and effectiveness of the Department’s operations. In
addition to OCIO, FSA has its own CIO, whose primary responsibility
is to promote the effective use of technology to achieve FSA’s
strategic objectives through sound technology planning and
investments, integrated technology architectures and standards,
effective systems development and production support. FSA’s CIO
core business functions
5 As part of its enactment, the Clinger-Cohen Act of 1996
reformed acquisition laws and IT management of the Federal
Government. 6 OMB Memorandum A-130 establishes a minimum set of
controls to be included in Federal automated information security
programs, assigns Federal agency responsibilities for the security
automated information, and links agency automated information
security programs and agency management control systems established
in accordance with OMB Circular No. A-123.
-
Final Report ED-OIG/A11R0001 Page 9 of 71
include the (1) Application Development Group, (2) Enterprise IT
Management Group, and (3) Enterprise IT Services Group.
Fiscal Year 2016 FISMA Audit Results
During last year’s FISMA audit, we identified 11 findings and
provided 15 recommendations that addressed the conditions noted in
the report. The Department concurred with 14 recommendations,
partially concurred with 1, and provided corrective action plans on
how it would address the recommendations. In general, our findings
identified:
outdated policies and procedures; the use of unsecure
application protocols; control weaknesses in web applications,
network infrastructure, and database
management; insufficient of enforcement of personal
identification verification for nonprivileged users; external
network connections not using two-factor authentication;
insufficient implementation of a network access control solution;
an insufficiently implemented information security continuous
monitoring program; and an insufficiently implemented incident
response program.
The Department and FSA agreed to corrective actions such as
updating policies and procedures, developing new guidance,
instituting secure connection protocols for its systems, completing
network access control deployment, creating Plans of Action and
Milestones (POA&M) for all vulnerabilities identified in the FY
2016 report, updating security documentation as needed, improving
communication and escalation of identified issues with OIG, and
developing a cybersecurity workforce strategy. As of October 2017,
the Department and FSA reported that they had completed corrective
actions for 10 of the 15 recommendations. The Department and FSA
anticipate completing corrective action for all recommendations
this fiscal year, with many scheduled for completion by the end of
2017.
-
Final Report ED-OIG/A11R0001 Page 10 of 71
AUDIT RESULTS
Based on the requirements specified in FISMA and the FY 2017 IG
FISMA Metrics, our audit focused on reviewing the five security
functions and associated metric domains: Identify (Risk
Management), Protect (Configuration Management, Identity and Access
Management, and Security Training), Detect (ISCM), Respond
(Incident Response), and Recover (Contingency Planning). The FY
2017 maturity model was more comprehensive and attributes were
assessed differently than the previous year’s maturity model
indicator scoring. As a result, certain functions were assessed at
a lower level, and we found the Department and FSA were not
effective in all five security functions—Identify, Protect, Detect,
Respond, and Recover.
We identified findings in Risk Management, Configuration
Management, Identity and Access Management, Security Training,
ISCM, Incident Response, and Contingency Planning metric domains.
Our findings in these metric domains included repeat findings from
the following OIG reports issued from FYs 2011 through 2016:
“The U.S. Department of Education’s Compliance with the Federal
Information Security Management Act of 2002 for Fiscal Year 2011,”
(ED-OIG/A11L0003) October 2011;
“The U.S. Department of Education’s Compliance with the Federal
Information Security Management Act of 2002 for Fiscal Year 2012,”
(ED-OIG/A11M0003) November 2012;
“The U.S. Department of Education’s Compliance with the Federal
Information Security Management Act of 2002 for Fiscal Year 2013,”
(ED-OIG/A11N0001) November 2013;
“The U.S. Department of Education’s Compliance with the Federal
Information Security Management Act of 2002 for Fiscal Year 2014,”
(ED-OIG/A11O0001) September 2014;
“The U.S. Department of Education’s Federal Information Security
Modernization Act of 2014 Report for Fiscal Year 2015,”
(ED-OIG/A11P0001) November 2015; and
“The U.S. Department of Education’s Federal Information Security
Modernization Act of 2014 Report for Fiscal Year 2016,”
(ED-OIG/A11Q001) November 2016.
SECURITY FUNCTION 1—IDENTIFY
The “Identify” security function comprises the Risk Management
metric domain. Based on our evaluation of the Department’s Risk
Management program, we determined that the Identify security
function was consistent with the Consistently Implemented level of
the maturity model, which is categorized as being not effective. Of
the twelve metrics for this domain, we found the Department and FSA
to be at the Consistently Implemented level for 8 metrics, the
Defined level for 3 metrics, and the Ad Hoc level for one metric.
We found the Department and FSA (1) established policies and
procedures consistent with NIST standards, (2) relied on a
Department-wide Risk Management Framework, (3) established a risk
methodology to assess its systems on an ongoing/continuous basis,
(4) established an inventory of relevant documentation needed to
assess system risk, (5) migrated to a new solution for its system
documentation, and (6) established workshops and forums to inform
stakeholders on risk management issues. Nonetheless, we noted some
improvements are needed in (1) updating inventory guidance,
-
Final Report ED-OIG/A11R0001 Page 11 of 71
(2) including contract security control compliance and access
language, and (3) maintaining a complete website inventory.
METRIC DOMAIN 1—RISK MANAGEMENT
Risk Management embodies the program and supporting processes to
manage information security risk to organizational operations
(including mission, functions, image, and reputation),
organizational assets, staff, and other organizations. This
includes establishing the context for risk-related activities,
assessing risk, responding to risk once it is determined, and
monitoring risk over time. A POA&M, also referred to as a
corrective action plan, is a management tool for tracking the
mitigation of cybersecurity program and system-level findings and
weaknesses. The purpose of a POA&M is to assist agencies in
identifying, assessing, prioritizing, and monitoring the progress
of corrective efforts for security weaknesses found in programs and
systems.7
We determined that the Department’s and FSA’s Risk Management
program was consistent with the Consistently Implemented level of
the maturity model, which is categorized as being not effective.
The Department and FSA have consistently implemented its risk
management policies, procedures, and strategies at the enterprise,
business process, and information system levels, and use its risk
profile to facilitate a determination on the aggregate level and
types of risk that management is willing to assume. Moreover, both
the Department and FSA consistently capture and share lessons
learned on the effectiveness of risk management processes and
activities in need of program improvements with its respective
shareholders. However, while the Department has made several
improvements to its risk management program, its practices in
several areas still do not meet the Managed and Measurable
threshold under the metrics required to be considered effective. To
meet the Managed and Measurable level, the Department would need to
achieve this level in at least 7 of the 12 metric areas. For
example, the Department would need to ensure that the hardware
assets connected to the network comply with the monitoring
processes defined within Department’s ISCM strategy.
In FY 2016, based on the maturity model indicator scoring, we
determined that the Department’s and FSA’s “Identify” security
function (which comprised Risk Management and Contractor Systems)
was scored at Level 5: Optimized, which was categorized as
effective. Specifically, the Department and FSA had developed a
comprehensive governance structure and organization-wide risk
management strategy and program that included comprehensive agency
policies and procedures consistent with OMB policy and applicable
NIST guidelines. Because the FY 2017 maturity model was more
comprehensive and attributes were assessed differently than the
previous year’s maturity model indicator scoring, the Department
was assessed at a lower level.
The Department established a risk management process that
includes policies and procedures and an enterprise strategy for its
business process and information systems. It uses its risk profile
to facilitate a determination on the aggregate level and types of
risk that management is willing to assume and consistently captures
and shares lessons learned on the effectiveness of risk management
processes and activities to update the program.
7 In prior years’ reporting, the POA&M and Contractor
Systems areas were reported as separate metric domains. However,
for FY 2017 FISMA reporting, POA&M and Contractor Systems
metric questions are incorporated into the Risk Management metric
domain.
-
Final Report ED-OIG/A11R0001 Page 12 of 71
The Department defined an information security architecture that
is integrated into and supports its enterprise architecture and
provides a structured methodology for managing risk. In addition,
it defined a process to conduct a security architecture review for
newly acquired hardware and software before introducing systems
into its development environment. According to the OCIO-01,
“Information Assurance Cybersecurity Policy,” the OCIO, in
coordination with the principal offices, is required to establish
and maintain an architecture that includes security for both the
Department’s network components and connected information systems
(i.e., the “enterprise”). Principal offices are required to obtain
the approval of the Enterprise Architecture Review Board (EARB)
before the development or acquisition of an information system. The
Department’s information systems are required to have baseline
security requirements in compliance with this policy and all
Federal cybersecurity authorities and regulations.
We determined that the Department developed the capability to
build and maintain a system inventory that included all FISMA
reportable systems, cloud systems, and contractor systems, and
determined that it uses standard data elements/taxonomy to develop
and maintain an inventory of hardware assets with the exceptions of
the finding listed below.
The Department also implemented an automated solution across the
enterprise that provides a centralized, enterprise-wide view of
risks, including risk control and remediation activities,
dependencies, risk scores/levels, and management dashboards. We
determined that the Department and FSA have fully migrated to the
Cyber Security Assessment and Management (CSAM) system, which
serves as their repository for all system information such as
security authorization data, POA&Ms, and risk acceptance
forms.
The Department developed the Information Assurance Services 02,
“System Inventory Methodology and Guidance,” for developing,
managing and maintaining an inventory of IT systems that satisfied
FISMA system reporting requirements. It also provides detailed
guidance for managing the Department’s FISMA system inventory
within the CSAM tool. The Department also developed the Information
Assurance Services 03, “System Categorization Guidance,” to provide
a detailed direction for conducting, documenting, and maintaining
security categorization levels across the Department. The guidance
is designed to facilitate the application of appropriate levels of
information security according to a range of levels of impact or
consequences that might result from the unauthorized disclosure,
modification, or use of the information or information system.
Furthermore, as part of the Department-wide Risk Management
Framework, the Department developed assessments to identify
program’s knowledge, skills, abilities, and resource gaps. These
included results from assessment activities such as (1) the DHS
Continuous Diagnostics and Mitigation (CDM) Governance Support Plan
(People and Organizational Assessment subsection), (2) the
Department’s Cybersecurity Workforce Baseline Certification
Assessment, and (3) CDM Phase 1 Implementation Readiness Review. We
also noted that roles and responsibilities have been expanded in
the more recent policies that were produced in FY 2017.
The Department established a risk assessment process that
incorporates NIST Special Publication (SP) 800-30, “Guide for
Conducting Risk Assessments.” Risk assessments (formal or informal)
are conducted at various steps in the Risk Management Framework
that includes (1) information system categorization, (2) security
control selection, (3) security control
-
Final Report ED-OIG/A11R0001 Page 13 of 71
implementation, (4) security control assessment, (5) information
system authorization, and (6) security control monitoring
(continuous monitoring). System risk assessments are performed and
appropriate security controls are implemented on a consistent
basis. The Department uses the common vulnerability scoring system,
or a similar approach, to communicate the characteristics and
severity of software vulnerabilities.
As part of the Department’s risk assessment process, assessors
are required to share identified risks with all levels of
management. The resulting risk rating is conveyed to the
Authorizing Official who approves the system security plan,
authorizes the system to operate, and directs corrective actions to
mitigate risk to an acceptable level. The Authorizing Official
provides feedback to the system owner on which vulnerabilities
(e.g., noncompliant security controls) must be corrected and the
acceptable timeframe for corrective actions.
The Department communicated information about risks in a timely
and consistent manner to all internal and external stakeholders
with a need to know. Furthermore, the organization actively shares
information with partners to ensure that accurate, current
information is being distributed and consumed.
We found that the Department had established forums and
workshops to train and educate stakeholders on risk management
issues. We attended a Quarterly Cybersecurity Risk Management
Workshop that addressed issues such as (1) cybersecurity policy and
guidance updates, (2) outstanding POA&Ms, and (3) ensuring
compliance for secure connections for websites and services. We
also attended the Cybersecurity Risk Management Forum where
Department officials discussed issues regarding governance, risk,
and compliance. Issues discussed included POA&M aging and
status, and NIST SP 800-53, Revision 4, “Security and Privacy of
Controls for Federal Information Systems and Organizations,” and
control family classification.
OCIO manages the Department’s IT Investment Management process
to ensure consistency with all applicable legislation, as well as
the Department’s enterprise architecture, information management,
information assurance, and related standards and processes. The IT
Inventory Management process is intended to ensure that IT
investments (1) support and are aligned with the Department’s
business objectives and Strategic Plan; (2) comply with all
relevant statutes, Federal regulations, and Departmental policies;
(3) do not duplicate other investments; and (4) are carefully
selected and managed in a way that demonstrates careful decision
making, with the greatest possible partnership and resource sharing
both within the Department and other agencies.
The Department established a POA&M process in accordance
with the Department’s policies and procedures to mitigate security
weaknesses. We verified that the Department uses the CSAM
repository to store and track its POA&Ms and is looking to
automate portions of the process to assist in reducing the number
of outstanding POA&Ms. We performed a review of 987 outstanding
POA&Ms and found that (1) 849 of 987 (86 percent) were over 90
days; (2) 61 of 987 (6 percent) were over 200 days; and (3) there
were no POA&Ms greater than one year.
Based on our evaluation, we identified the following areas of
improvement for this metric area.
-
Final Report ED-OIG/A11R0001 Page 14 of 71
Issue 1. The Department’s Risk Management Program Needs
Improvement
Of the 12 metrics for the Risk Management Domain, we found the
Department and FSA to be at the Consistently Implemented level for
8 metrics, the Defined level for 3 metrics, and the Ad Hoc level
for 1 metric. We found that the Department should strengthen its
controls regarding risk management in the areas of (1) updating
inventory guidance, (2) ensuring Federal security control
compliance and access to contractor and subcontractor systems, and
(3) maintaining a complete website inventory.
Inventory Guidance Was Not Current
We found that the Department continues to rely on its
“Information Technology Security General Support Systems and Major
Applications Inventory Guidance, Version 1.0,” dated March 2009. We
have cited this outdated guidance in our FISMA reports since FY
2012. This guidance is designed to lead to the successful
completion of the Data Sensitivity Worksheet for each information
system and to result in an accurate inventory of the Department’s
system. However, this guidance has not been updated since March
2009, and therefore it does not incorporate all current NIST and
OMB guidance regarding systems inventory.
Contracts Did Not Include Security Control Compliance and Access
Language
The Department did not ensure that all required security
language, including a provision allowing access to contractors and
their subcontractors, was included in contracts relating to
contractor systems and services. We reviewed the contracts for the
10 externally hosted systems that were judgmentally selected for
this year’s audit, as well as a contract for a system that was
recently awarded to determine whether the 11 contracts contained,
at a minimum, security language for ensuring that the systems were
in compliance with security control requirements. 8 Our review
determined that three system contracts did not contain language
requiring contractors to comply with Federal security controls.
OCIO informed us that although the Department developed standard
security contract language for its contracts, they are reviewing
and reevaluating current contract language for consistency across
principal offices and contracts. The expectation is that all
requests for proposal are reviewed before going to the contracting
office for review to ensure security language is included in the
contract.
Acquisition Alert 2016-07, “Class Deviation to Implement Policy
Regarding Access to Contractor Information Systems,” issued by the
Office of the Chief Financial Officer on August 9, 2016, obligates
contracting officers and contract specialists to include certain
provisions and/or clauses to ensure compliance with Departmental
policy regarding access to contractor or subcontractor information
systems. Of the 11 contracts we reviewed, 4 were issued on or after
August 9, 2016, and were subject to Acquisition Alert 2016-07. Of
these four contracts, none included the mandated clause “Access to
Contractor and Subcontractor Information Systems.” For the other
seven contracts that were issued before Acquisition Alert 2016-07,
we found that four of the contracts did not contain provisions
and/or relevant clauses that would allow Departmental access to
contractors or subcontractor information systems. The lack of
communication between the contractors and contracting officer
representatives at the
8 Since the current EDUCATE system was being replaced by
sectional contracts, we selected a sectional component contract,
Portfolio of Integrated Value-Oriented Technologies-M, that was
already awarded.
-
Final Report ED-OIG/A11R0001 Page 15 of 71
Department regarding inclusion of relevant contract provisions,
as well as limited monitoring of contractual obligations, further
contributed to this condition. Without an access clause included in
its service contracts, the Department cannot ensure that it will
have access to contractor systems enabling it to perform necessary
quality assurance, audit, and investigative functions required by
Federal guidance.
The Department Did Not Maintain an Updated Systems Inventory for
Active Websites
We found the Department’s system inventory does not accurately
reflect all active websites providing services for the Department.
Specifically, when we compared the list that was provided during
the FY FISMA 2016 audit to the current inventory, that list
included an additional 61 active/online websites that were not
included in the FY 2017 inventory. We verified that the additional
61 websites were still operational and accessible to users. Based
on the information provided, we determined that there is no single
source to provide a complete list of websites providing services
for the Department. Instead, lists are provided by different
sources and no centralized location is used to corroborate and
maintain an accurate list.
NIST SP 800-53, Revision 4, CM-8 – Information System Component
Inventory, states that organizations should develop and document an
inventory of information system components that (1) accurately
reflects the current information system, (2) includes all
components within the authorization boundary of the information
system, and (3) is at the level of granularity deemed necessary for
tracking and reporting. It further states that the organization
should (1) update the inventory of information system components as
an integral part of component installations, removals, and
information system updates; and (2) provide a centralized
repository for the inventory of information system components.
Although the Department Handbook OCIO-01 requires each principal
office to maintain a current inventory of systems, hardware and
software assets, and information (data) under its control
throughout the respective system development life cycles, the
Department lacked a centralized tracking process to ensure that its
inventory was complete and current. Failure to identify and
maintain an updated inventory—specifically, one that accurately
reflects all active websites managed by the Department—could lead
to compromise and exposure of data without the Department knowing
that it had occurred.
Recommendations
We recommend that the Deputy Secretary require OCIO to—
1.1 Incorporate additional measures to, at a minimum, achieve
Level 4 Managed and Measurable status of the Risk Management
program.
1.2 Ensure that “Information Technology Security General Support
Systems and Major Applications Inventory Guidance, Version 1.0” is
updated.
1.3 Ensure that all contracts are reviewed and reevaluated to
ensure that required access and security language is included.
1.4 Establish a centralized tracking process for maintaining all
active websites for the Department.
-
Final Report ED-OIG/A11R0001 Page 16 of 71
Management Comments
The Department concurred with recommendations 1.1, 1.3, and 1.4
but did not concur with recommendation 1.2. For recommendations
1.1, 1.3, and 1.4, the Department stated it will develop corrective
action plans by December 1, 2017, to address the associated
finding. For recommendation 1.2, the Department stated it released
Information Assurance Services 02, “Systems Inventory Methodology
and Guidance,” and the Information Assurance Services 03, “System
Categorization Guidance,” that superseded the “Information
Technology Security General Support Systems and Major Applications
Inventory Guidance, Version 1.0.”
OIG Response
The OIG will review the corrective action plans to determine
whether the actions will address the finding and recommendations
and, if so, will validate them during our FY 2018 FISMA audit.
Regarding recommendation 1.2, the OIG identified Information
Assurance Services 02 and 03 as active guidance during the audit;
however, we also found that the Information Technology Security
General Support Systems and Major Applications Inventory Guidance,
Version 1.0, still served as the overarching policy and had not
been officially superseded. On October 28, 2017, the OIG confirmed
the guidance remained on the Department’s intranet website and did
not see any indication that this guidance had been officially
superseded. If the OIG receives confirmation that the Department
has removed the guidance from its intranet site, we will consider
this action to be responsive to the finding and recommendation.
SECURITY FUNCTION 2—PROTECT
The “Protect” security function comprises the Configuration
Management, Identity and Access Management, and Security Training
metric domains. Based on our evaluation of the three program areas,
we determined that the Protect security function was consistent
with the Defined level of the maturity model, which is categorized
as being not effective. Strengths and areas of improvement are
identified individually in each of the metric domain sections
below.
In FY 2016, the Department and FSA were measured against a
maturity model indicator scoring system for these three metric
domains and were categorized at the Defined level for this security
function due to our findings in the three metric domains. For
example, in configuration management, we found (1) select policies
and procedures were not current with NIST and Departmental
guidance, (2) appropriate application connection protocols were not
being used, and (3) the Department was unable to prevent
unauthorized devices from connecting to the network. All three
findings were repeat findings from our FY 2015 FISMA audit and
continue to exist. Through our vulnerability assessment testing, we
found that the Department’s and FSA’s controls over web
applications, as well as the application’s network infrastructure
need improvement. For Identity and Access Management, we performed
database management assessments that identified vulnerabilities,
configuration errors, rogue installations, and access issues for
databases residing in the Office of General Counsel Case and
Activity Management System, Education Security Tracking and
Reporting System, Personal Authentication Service,
-
Final Report ED-OIG/A11R0001 Page 17 of 71
and Common Origination and Disbursement environments. Further,
we found that two-factor authentication9 for nonprivileged users is
not effectively implemented and external network connections did
not use two-factor authentication—another repeat finding from the
FY 2015 FISMA audit. We also found that although the Department
established processes and controls to ensure an effective Security
Training program, we identified an area in which the Department can
improve its assessment of contractors with significant security and
privacy responsibilities.
METRIC DOMAIN 2—CONFIGURATION MANAGEMENT
Configuration management includes tracking an organization’s
hardware, software, and other resources to support networks,
systems, and network connections. This includes software versions
and updates installed on the organization’s computer systems.
Configuration management enables the management of system resources
throughout the system life cycle.
We determined that the Department’s and FSA’s configuration
management programs were consistent with the Defined level of the
maturity model. The Department and FSA have defined the roles and
responsibilities at the organizational and information system
levels for stakeholders involved in information system
configuration management. Also, these roles and responsibilities
have been communicated across the organization. The Department also
developed an organization-wide configuration management plan that
includes the necessary components. Furthermore, Department and FSA
consistently implemented Trusted Internet Connections (TIC)
approved connections and critical capabilities that were managed
internally. However, while the Department has made several
improvements to its Configuration Management program, its practices
in several areas still do not meet the Managed and Measurable
threshold under the metrics to be considered effective. To meet
Managed and Measurable, the Department would need to achieve that
level in at least 5 of the 8 metric areas. For example, the
Department would need to employ automated mechanisms (such as
application whitelisting and network management tools) to detect
unauthorized hardware, software, and firmware on its network and
take immediate actions to limit any security impact.
The Department has made progress in defining and communicating
the responsibilities of configuration management to stakeholders
and began performing an assessment of skills, knowledge, and
resources to effectively implement a configuration management
program and continues to work to ensure this is developed across
the Department. These areas are included as part of Risk Management
forums that are held throughout the year. OCIO also relies on its
current workforce strategy to accomplish these assessments.
The Department’s Life Cycle Management Framework provides the
foundation for the implementation of standards, processes, and
procedures for acquiring and developing IT solutions. It requires
that configuration management plans identify the configuration
items, components, and related work products that will be placed
under configuration management using configuration identification,
configuration control, and configuration status accounting and
configuration audits. It also ensures that the plan will establish
and maintain the integrity of
9 Two-factor authentication is a security process in which the
user provides two means of identification from separate categories
of credentials; one is typically a physical token, such as a card,
and the other is typically something memorized. This additional
layer of security could help reduce the incidence of online
identity theft, phishing expeditions, and other online fraud.
-
Final Report ED-OIG/A11R0001 Page 18 of 71
work products throughout the life cycle. The Department also
uses the Life Cycle Management Framework policy that provides
guidance on how changes are communicated to users.
The EARB is responsible for strategic decision making and
communication to achieve the enterprise vision for technology at
the Department level. Changes implemented on individual systems are
the responsibility of the system owners. NTT manages the
Department’s Configuration Management Plan. The Department also
relies on the system owners to include the change management plan
as part of their contract.
The Department has developed configuration management plans and
outlined information system configuration management policies and
procedures in their overarching policies governing configuration
management. As part of this process, system vulnerability scans
conducted by the Department are reviewed to provide assurance that
policies are being disseminated and enforced. Configuration
management plans are being actively used and are submitted through
the EARB process when approving systems.
As part of the Department’s configuration management policy,
each system is required to have its own system specific
configuration management plan describing the processes for
identifying and managing changes to that system. These processes
are being followed when the Department performs assessments and/or
independent security control assessments. Each system is required
to have a Configuration Management Plan that details the system’s
processes that enables OCIO to gain an understanding of the system
before testing the controls. If the system does not have a plan, a
finding and POA&M are created and the finding is entered into
CSAM.
NTT relies on its own patch management policies to remediate
vulnerabilities found in the Department’s systems that incorporate
the guidance outlined in OCIO-01, “Information
Assurance/Cybersecurity Policy.”10 Also, the Department has an
independent verification and validation team that completes
assessments to ensure that vulnerabilities have actually been
remediated.
The Department established a vulnerability and patch management
process. This process included (1) creating a system inventory; (2)
monitoring for vulnerabilities, remediations, and threats; (3)
prioritizing vulnerability remediation; (4) creating a remediation
database; (5) testing and deploying remediations; and (6) verifying
remediation. In addition, the Department established security
metrics measuring a system’s susceptibility to an attack, as well
as mitigation response time. FSA has also its own patch management
process that consisted of (1) patch notification, (2) deployment,
(3) testing, (4) post-production implementation review, (5) patch
validation, and (6) bimonthly patch reporting.
The Department uses security concepts to manage and maintain
security baseline configurations. This included (1) configuration
planning and management, (2) identifying and implementing
configuration settings, (3) configuration change control, and (4)
configuration monitoring. We also found that the Department
established a security baseline for its systems. This included (1)
Federal Desktop Core Configurations, (2) U.S. Government
Configuration Baselines, and (3) Education Baseline
Configurations.
10 NTT Data Services Federal Government, Inc., provides the
services for the EDUCATE contract.
-
Final Report ED-OIG/A11R0001 Page 19 of 71
The Department also established a system-hardening process for
standard Windows, Linux, and UNIX operating systems. In addition,
FSA established a hardening standard process for maintaining and
updating hardware and software components.
The Department is an enterprise-wide TIC provider and manages
two TICs (one primary and one alternate) that are shared by the
Department and FSA. In FY 2015, DHS performed a TIC Capability
Validation of the Department’s TIC implementation and found that
the Department was at 96 percent for TIC 2.0 capabilities
implementation, 98 percent for external network traffic to and from
the organization's networks passing through a TIC, and 100 percent
of network/application interconnections to/from the organization’s
networks passing through a TIC. The Department informed us it had
completed projects to enforce TIC requirements for multifactor
authentication for administrative access to Department systems and
to add redundancy to its internal Network Time Protocol
capabilities. The Department stated that the completion of these
projects increased its compliance with TIC 2.0 critical
capabilities to 98 percent. In FY 2017, the focus has been on the
establishment of TIC access points for the Department’s Next
Generation Data Center.
Issue 2. The Department and FSA’s Configuration Management
Program Needs Improvement
Of the eight metrics for the Configuration Management domain, we
found the Department and FSA to be at the Defined level for six
metrics, the Consistently Implemented level for one metric, and the
Ad Hoc level for one metric. We found that the Department (1) was
not using appropriate application connection protocol; (2) was
unable to protect against unauthorized devices connecting to its
network; (3) used unsupported operating systems, databases, and
applications in its production environment; (4) had not configured
websites to encrypt data transmission; (5) failed to adequately
protect personally identifiable information; and (6) along with
FSA, needs to improve its controls over web applications and
servers.
The Department Was Not Using Appropriate Application Connection
Protocols
During our FY 2015 and 2016 FISMA audits, we identified several
authorized connections that used outdated security connection
protocols. The Department concurred with the findings and
introduced planned corrective actions to mitigate the known risks.
However, we found that the Department continued to use the
previously identified outdated secure connection protocols as a
connection mechanism. Specifically, out of the 276 Department
authorized active connections, 30 (11 percent) did not adhere to
the mandated encryption standards of Transport Layer Security (TLS)
1.1 and above. NIST required agencies to develop migration plans to
support TLS 1.2 by January 1, 2015. The Department did not restrict
the use of nonsecure Secure Socket Layer version 3 connections to
its network and did not take the necessary steps to ensure only
recommended secure TLS connections were used.
Per the Department’s policies, if the Department decides to
accept the risks with identified controls weaknesses or
vulnerabilities, it must complete and submit a Risk Acceptance
Form. We reviewed all Risk Acceptance Forms the Department and FSA
provided, and we did not find any forms that related to the use of
Secure Socket Layer version 3 or TLS version 1.0 for the specific
active connections. The transition from Secure Socket Layer version
3 to TLS
-
Final Report ED-OIG/A11R0001 Page 20 of 71
connection would help safeguard user information by providing a
more secure connection. Despite committing to address this issue in
FY 2015 and 2016, the Department has continued to use vulnerable
protocols, and users could still expose systems to a number of
vulnerabilities and exploits, including man-in-the-middle attacks
that could jeopardize Department resources.11
The Department Was Unable to Prevent Unauthorized Devices From
Connecting to Its Network
The Department had not implemented a solution to consistently
restrict the use of unauthorized devices that connect to its
network. The Department plans to use a network access control12
solution to account for and control systems, along with peripherals
on its network. We originally identified this issue in our FY 2011
FISMA audit report. Despite the Department’s commitment to restrict
unauthorized access on its network, the network access control
solution was not effectively implemented. Our testing in June 2016
showed that the network access control solution was not able to
restrict our access. In April 2017, the Department stated that the
network access control solution was successfully implemented to
block access to all non-Government furnished equipment. However,
our testing again allowed us to gain access to a number of internal
resources by connecting to the Department’s network with
non-Government furnished equipment. Despite the Department’s
assertion that the network access control solution was successfully
implemented, the Department was unable to properly configure its
network access control solution to restrict the availability of
network resources to only endpoint devices that comply with its
defined security policy.
The Department Continued to Rely on Unsupported Operating
Systems, Databases, and Applications in the Production
Environment
In 2015, we identified that the Department relied on a number of
operating systems on the EDUCATE system that are no longer
supported by their vendors. At that time, the Department was unable
to provide any documentation, such as Risk Assessment Forms, to
justify the use of unsupported systems, and committed to
discontinue the use of these obsolete systems or develop
justification for their continued use by September 2016.
During this year’s audit, we found that the Department and FSA
still relied on a number of operating systems, databases, and
applications that were not supported by the vendors. The Department
advised application owners to submit corrective action plans to
upgrade the systems or submit Risk Acceptance Forms. However, it
was unable to provide any documentation, such as Risk Assessment
Forms, to justify the continued use of unsupported systems. Because
the vendors were no longer supporting these systems, no one was
addressing new vulnerabilities, leaving the Department’s operating
systems at unknown risk and with no alternate plan of actions.
11 A man-in-the-middle attack is an attack where the attacker
secretly relays and possibly alters the communication between two
parties who believe they are directly communicating with each
other.
12 Network access control is a policy-enforcement mechanism
designed to authenticate and authorize systems
attempting to connect to a network.
http:resources.11
-
Final Report ED-OIG/A11R0001 Page 21 of 71
Department Relied on Unsecure Web Connections
The Department did not enable the use of an encryption protocol
on 151 out of the 478 websites in its inventory to protect users
and their information being submitted via web portals. OMB M-15-13,
“Policy to Require Secure Connections Across Federal Websites and
Web Services,” requires that all publically accessible Federal
websites and web services provide service only through a secure
connection. Further, agencies must make all existing websites and
services accessible through a secure connection (HTTPS-only, with
HSTS) by December 31, 2016. 13 We found that only 327 of 478 (68
percent) active websites provided by the Department enforced the
secure connection protocol mandate.
Personally Identifiable Information Not Consistently
Protected
The Department is not ensuring the protection of personally
identifiable information—primarily Social Security number
information—requested through its website by displaying information
entered in clear text. Further, the Department continues to use
Social Security numbers as an identifier. Specifically, we found
that out of the 478 websites we reviewed, 4 websites required users
to login with the use of the Social Security numbers. Additionally,
none of the 4 websites were configured to mask sensitive personally
identifiable information, and 1 of the 4 used Social Security
number as a primary identifier. We identified a similar condition
relating to using Social Security numbers as a primary identifier
in our FY 2014 FISMA audit.
Websites Not Displaying Warning Banners
The Department has websites that do not display warning banners
when users login to Departmental resources. The Department provided
5 separate lists of websites totaling 478 active websites. We
judgmentally selected the largest list that included 252 websites
and tested to see if the websites displayed a banner notifying
users that they were accessing a Government system. Of the 252
sites tested, 33 (13 percent) did not display a login banner as
mandated by NIST and Departmental guidance. The Department failed
to configure all of its websites to ensure compliance with login
banner requirements.
The Department’s and FSA’s Controls Over Web Applications and
Servers Need Improvement
As part of our security and vulnerability testing for the FISMA
FY 2017 audit, we performed web application and server
vulnerability assessments for 9 of the 10 judgmentally selected
systems.14 As a result of our testing, we found that the Department
and FSA should increase implementation and management of its
technical security architectures supporting applications and
infrastructure to restrict unauthorized access to information
resources to protect it against potential application compromise.
Specifically, our testing identified that although some key
controls were effectively implemented (such as network
segmentation, endpoint protection, and firewalls), the security
architecture could use further enhancements to strengthen the
13 Hypertext Transfer Protocol (or HTTP) is the foundation of
data communication for the World Wide Web. HTTPS is the secure
version of HTTP. HTTPS Strict Transport Security (or HSTS) allows
web servers to declare
that web browsers should only interact with it using secure
HTTPS connections.
14 Refer to the “Objective, Scope, and Methodology” section of
this report for a complete list of systems subject to our
testing.
http:systems.14
-
Final Report ED-OIG/A11R0001 Page 22 of 71
Department’s overall security posture. For example, we
identified instances of (1) SQL injection execution
vulnerabilities, (2) unsecure web protocols, (3) impersonation of
user sessions, (4) unprivileged access, (5) remote code execution,
and (6) missing patches.
NIST SP 800-53, Revision 4, provides guidelines for selecting
and specifying security controls for organization and information
systems supporting the executive agencies of the Federal Government
to meet the requirements of Federal Information Processing
Standards Publication 200, “Minimum Security Requirement for
Federal Information Systems.” This includes (1) configuration
management policies and procedures, (2) baseline configuration, (3)
minimization of personally identifiable information, (4)
unsupported system components, and (5) transmission confidentiality
and integrity.15 NIST SP 800-52, “Guidelines for the Selection,
Configuration and Use of Transport Layer Security Implementations,”
states that TLS version 1.1 is required, at a minimum, to mitigate
various attacks on version 1.0 of the TLS protocol. Support for TLS
version 1.2 is strongly recommended and agencies are required to
develop migration plans to support TLS 1.2 by January 1, 2015. NIST
SP 800-46, Revision 1, “Guide to Enterprise Telework and Remote
Access Security,” states that organizations should consider the use
of network access control solutions that verify the security
posture of a client before allowing these on an internal
network.
Relying on the outdated procedures; unsupported operating
systems, databases, and applications; application connection
protocols; and improper configurations of access privilege and web
encryption could lead to data leakage and exposure of personally
identifiable information that can compromise the Department’s
integrity and reputation. In addition, inadequate system
configuration practices increase the potential for unauthorized
activities to occur without being detected and could lead to
potential theft, destruction, or misuse of Department data and its
resources.
Recommendations
We recommend that the Deputy Secretary and Chief Operating
Officer require that OCIO and FSA—
2.1 Incorporate additional measures to, at a minimum, achieve
Level 3 Consistently Implemented status of the Configuration
Management program.
2.2 Immediately correct or mitigate the vulnerabilities
identified during the vulnerability assessment.
2.3 Ensure POA&Ms are created to remedy infrastructure
vulnerabilities identified in the hosting data center
environments.
15 Includes control numbers CM-1, CM-2, DM-1, SA-22, and
SC-8.
http:integrity.15
-
Final Report ED-OIG/A11R0001 Page 23 of 71
We recommend that the Deputy Secretary require OCIO to—
2.4 At a minimum, enforce TLS 1.1 or higher as the only
connection for all Department connections. (Repeat
Recommendation)
2.5 Discontinue the use of or develop a justification for using
unsupported operating systems, databases, and applications. (Repeat
Recommendation)
2.6 Ensure that all existing websites and services are
accessible through a secure connection as required by OMB
M-15-13.
2.7 Configure all websites to display warning banners when users
login to Departmental resources.
We recommend that the Chief Operating Officer require FSA
to—
2.8 Ensure that all websites and portals hosting personally
identifiable information are configured not to display clear
text.
2.9 Eliminate the use of Social Security numbers as an
authentication element when logging onto FSA websites by requiring
the user to create a unique identifier for account authentication.
(Repeat Recommendation)
Management Comments
The Department concurred with recommendations 2.1 to 2.3 and,
2.6 to 2.9, and partially concurred with recommendations 2.4 and
2.5. For recommendations 2.1 to 2.3 and 2.6 to 2.9, the Department
stated it will develop corrective action plans by December 1, 2017,
to address the associated finding.
For recommendation 2.4, the Department stated that OCIO
published the requirement to implement Transport Layer Security
(TLS) version 1.1 in section 4.15.2 Policies of the Departmental
Handbook for Information Assurance/Cybersecurity Policy (OCIO-01),
dated January 18, 2017. As a result of the FY 2016 FISMA report and
associated finding, the Department also stated it led an effort to
ensure that POA&Ms and/or Risk Acceptance Forms, as
appropriate, were completed for each system that was identified to
have this vulnerability. The Department further stated that it will
work with the OIG to validate this finding and, if required,
develop a corrective action plan by December 1, 2017, to address
the associated finding.
For recommendation 2.5, the Department stated that at the time
of the response, OCIO has not received the background information
from the OIG to validate this finding. It also stated that some
software may be listed as “unsupported” by the vendor, but there
may be mitigations in place that allows the continued use of the
software on the network. The Department further stated that it will
work with the OIG to validate this finding and, if required,
develop a corrective action plan by December 1, 2017, to address
the finding.
-
Final Report ED-OIG/A11R0001 Page 24 of 71
OIG Response
The OIG will review the corrective action plans to determine
whether the actions will address the finding and recommendations
and, if so, will validate them during our FY 2018 FISMA audit.
Regarding recommendation 2.5, the OIG will provide the
background information to assist OCIO in validating the finding.
Once the corrective action plan is developed, the OIG will review
it to determine whether the actions will address the finding and
recommendation and, if so, will validate them during our FY 2018
FISMA audit.
METRIC DOMAIN 3—IDENTITY AND ACCESS MANAGEMENT
The Identity and Access Management metric domain includes
identifying, using credentials, and managing user access to network
resources. It also includes managing the user’s physical and
logical access to Federal facilities and network resources. Remote
access allows users to remotely connect to internal resources while
working from a location outside their normal workspace. Remote
access management is the ability to manage all connections and
computers that remotely connect to an organization’s network. To
provide an additional layer of protection, remote connections
should require users to connect using two-factor
authentication.
We determined that the Department’s and FSA’s Identity and
Access Management programs were consistent with the Defined level
of the maturity model. The Department’s and FSA’s roles and
responsibilities at the organizational and information system
levels for stakeholders involved in Identity, Credential, and
Access Management (ICAM) have been fully defined and communicated
across the organization. This includes, as appropriate, developing
an ICAM governance structure to align and consolidate the agency’s
ICAM investments, monitoring programs, and ensuring awareness and
understanding. However, while the Department has made several
improvements to its Identity and Access program, its practices in
several areas still do not meet the Managed and Measurable
threshold under the metrics to be considered effective. To meet
Managed and Measurable, the Department would need to achieve that
level in at least 5 of the 9 metric areas. For example, the
Department would need to demonstrate that it has transitioned to
its desired or “to-be” ICAM architecture and has integrated its
ICAM strategy and activities with its enterprise architecture and
the Federal Identity, Credentialing and Access Management segment
architecture.
The Department established OCIO-01, “Information
Assurance/Cybersecurity Policy,” dated January 2017, which sets
forth Department-level policies regarding (1) roles and
responsibilities of various senior positions relating to IT
security; (2) the annual review of the policy by the Department’s
Chief Information Security Officer; (3) access control and
authentication; (4) personnel security; (5) security screening for
all contractor and subcontractor employees (supplemented by OM
5-101, “Contractor Employee Personnel Security Screening”); (6) the
display of system warning banners; (7) system rules of behavior;
(8) network access control; (9) remote access; (10) user session
timeout; and (11) management of unsupported system components on
Department information systems.
The Department established Information Assurance Services 01,
“Logical Access Control Guidance” in October 2016. It identifies
roles and responsibilities, as well as requirements for the
selection, implementation, monitoring, and enforcement of logical
access controls as they
-
Final Report ED-OIG/A11R0001 Page 25 of 71
relate to Department’s information systems. These requirements
include (1) managing privileged user accounts, (2) using
multifactor authentication (personal identification verification or
token) for remote access, (3) the design and configuration of
automated monitoring capabilities and control of remote access
methods, (4) the design and configure with cryptographic mechanisms
to protect the confidentiality and integrity of remote access
sessions, (5) session termination after 30 minutes of inactivity,
(6) the display of system warning banners, and (7) system rules of
behavior.
The Department issued the ICAM Enterprise Roadmap and the ICAM
Implementation Plan in March 2017. The Roadmap and the
Implementation Plan identify the goals and objective of the
Department’s ICAM programs and the targeted timeline on meeting of
them.
In March 2017, OCIO developed a token replacement strategy in
response to a FY 2016 FISMA OIG audit finding. The strategy was
designed to replace current token access with personal identity
verification cards for remote users who access the Department’s
network using non-Government furnished equipment but do not require
physical access to Department offices.
Issue 3. The Department’s and FSA’s Identity and Access
Management Program Needs Improvement
Of the nine metrics for the Identity and Access Management
domain, we found the Department and FSA to be at the Defined level
for seven metrics and the Ad Hoc level for two metrics. We found
that the Department and FSA can strengthen their controls regarding
identity and access management to enable them to progress to the
next maturity level in the areas of (1) ensuring appropriate
clearance requirements are met before granting system access, (2)
managing external privileged accounts, (3) implementing the ICAM
strategy, (4) implementing the network acce